China: Draft standard contract provisions - Operationalising data transfers under PIPL: Part one
On 30 June 2022, the Cyberspace Administration of China ('CAC') released the Standard Contract Provisions for the Export of Personal Information (Draft for Comment) ('the Draft Standard Contract Provisions'). The Draft Standard Contract Provisions are intended to implement Article 38(1)(3) of the Personal Information Protection Law ('PIPL') and provides for one of the lawful methods for the transfer of personal information outside of China. The Draft Standard Contract Provisions contain a standard contract akin to Standard Contractual Clauses ('SCCs') and establish requirements for personal information processors as well as overseas recipients, notably the obligation to carry out Data Protection Impact Assessments ('DPIAs'). OneTrust DataGuidance Research breaks down the Draft Standard Contract Provisions, featuring expert insights from Dehao Zhang, Counsel at Fieldfisher China.
The Draft Standard Contract Provisions are intended to regulate outbound transfers of personal information, protect the rights and interests of individuals, and promote cross-border flows of personal information in a safe and free manner (Article 1). The Draft Standard Contract Provisions require that personal information processors who enter into agreements with overseas recipients to provide personal information outside the People's Republic of China ('PRC') sign a standard contract for the export of personal information in accordance its provisions (Article 2).
In line with the above, personal information processors and overseas recipients must adhere to the requirements associated with independent contracting and record management to prevent security risks associated with the international transfers, and ensure the lawful, orderly, and free flow of personal information (Article 3). Personal information processors and overseas recipients that sign other contracts related to personal information outbound transfers must ensure they do not conflict with standard contracts as provided by the CAC (Article 2).
Scope of application
The Draft Standard Contract Provisions establish that personal information processors may provide personal information overseas by signing a standard contract if they meet the following requirements (Article 4):
- they are operators of non-critical information infrastructure ('CII');
- they handle the personal information of less than 1 million people;
- since January 1 of the previous year, the cumulative amount of personal information provided overseas has not reached 100,000 people; and
- since January 1 of the previous year, the cumulative amount of sensitive personal information provided overseas is less than 10,000 people.
On this point, Zhang noted, "we all know the SCCs will be applicable to operators of non-CII and organisations who do not achieve the standard of the CAC [as outlined above]. However, the standard of the CAC still needs to be clarified, [for example,] the processing of personal information of 1 million data subjects, transfers of personal information of 100,000 data subjects from 1 January of the previous year, or transfers of sensitive data of 10,000 data subjects from 1 January of previous year. It is not very clear how to calculate the number".
Obligations for personal information processors
In particular, Zhang highlighted that "if the Draft Standard Contract Provisions become effective, the personal information processor shall firstly conduct a DPIA and sign the SCCs with the data recipient".
More specifically on DPIAs, the Draft Standard Contract Provisions stipulate that before providing personal information overseas, a personal information processor must conduct a DPIA in advance, focusing on the following (Article 5):
- the legality, legitimacy, and necessity of the purpose, scope, and method of processing by the personal information processor and overseas recipient;
- the quantity, scope, type, and degree of sensitivity of the personal information going abroad, and the risks that the export of personal information may bring to the rights and interests of individuals;
- whether the overseas recipient's responsibilities and obligations, as well as the technical and organisational measures for fulfilling such responsibility and obligations, can ensure the safety of personal information leaving the country;
- the risk of leakage, destruction, tampering, misuse, among other things, of personal information after the departure of personal information, and whether the channels for individuals to protect the rights and interests of personal information are open;
- the impact of personal information protection policies and regulations of the country or region of the overseas recipient on the performance of the standard contract; and
- other matters that may affect the safety of personal information out of the country.
The DPIA report must be kept for at least three years.
Filing with the CAC
On filing, Zhang noted that "the personal information processor shall, within ten working days from the effective date of the SCC signed by the personal information processor and the data recipient, file the SCC and the DPIA with the local provincial-level branch of CAC".
On this point, the Draft Standard Contract Provisions stipulate that personal information processors are responsible for the authenticity of the recorded materials, noting that once the standard contract takes effect, personal information processors are permitted to carry out personal information export activities (Article 7).
Importantly, where any of the following situations occur within the validity period of the standard contract, the personal information processor must re-sign the standard contract and record it (Article 8):
- the purpose, scope, type, sensitivity, quantity, method, storage period, storage location, purpose, and method of processing personal information of overseas recipients have changed, or the overseas storage period of personal information has been extended;
- changes in the personal information protection policies and regulations of the country or region where the overseas recipient is located may affect the rights and interests of personal information; and
- other circumstances that may affect the rights and interests of individuals.
On the standard contracts, Zhang detailed, "Chinese SCCs require the data exporter to be a personal information processor, which means the SCC will only be applicable to:
- data transferred from a personal information processor to an entrusted party outside of China;
- data transferred from a personal information processor to another independent personal information processor outside of China; and
- data transferred from a personal information processor to the joint personal information processor outside of China.
I believe only one [of the requirements in the Draft Standard Contract Provisions] is very unique from other SCCs, this is the filling work according to Article 7, I think this will add lots of work to local branch of CAC".
The Draft Standard Contract Provisions clarify that a standard contract must include the following main contents (Article 6):
- basic information of the personal information processor and the outbound recipient, including but not limited to name, address, contact name, contact information, among other things;
- the purpose, scope, type, sensitivity, quantity, manner, retention period, and storage location, among other things, of the personal information leaving the country;
- the responsibilities and obligations of the processor and the overseas recipient of personal information to protect personal information, as well as the technical and organisational measures taken to prevent possible security risks arising from the departure of personal information;
- the impact of the personal information protection policies and regulations of the country or region where the overseas recipient is located;
- the rights of data subjects and the ways and means to protect their rights; and
- relief, contract termination, liability for breach of contract, and dispute resolution, among other things.
Complaints and violations
Organisation or individual who finds that a personal information processor violates the Draft Standard Contract Provisions has the right to file a complaint or report to the CAC at or above the provincial level (Article 10).
In addition, where the CAC at or above the provincial level finds that the personal information export activities conducted on the basis of standard contracts no longer meet the personal information exit security management requirements in the actual processing, the CAC will notify the personal information processor in writing to terminate the personal information export activities. Once the personal information processor receives the notice, the personal information processor must immediately terminate the outbound activities of personal information (Article 11).
The following circumstances are considered an offence subject to criminal responsibility, namely (Article 12):
- failing to perform the filing procedure or submitting false materials for filing;
- failing to perform the responsibilities and obligations stipulated in the standard contract, infringing upon the rights and interests of individuals, and causing damage; and
- other circumstances that affect the rights and interests of individuals.
The CAC at or above the provincial level will follow the provisions of the PIPL and order corrections within a time limit. Those who refuse to make corrections or damage the rights and interests of individuals will be ordered to stop personal information export activities and be punished according to law. If a crime is constituted, criminal responsibility will be investigated according to law (Article 12).
In regard to provisions that companies should be aware of, Zhang highlighted, "Articles 2 and 3 of the Draft Standard Contract Provisions outline the obligations of personal information processors and data recipients respectively which companies must pay attention to. In addition, Article 4 of the SCCs is the promise of the parties based on the laws and regulations of the data recipient's country/region, companies should pay attention to what they have promised. Article 5 [on the other hand] protects the personal information rights of data subjects which is also important. Article 7 is the termination clauses which addresses contract termination situations, I believe this should also be given attention. [Furthermore,] the data recipient should note that the SCCs require the applicable law of dispute resolution be Chinese law which may also impact some companies".
Finally, the Draft Standard Contract Provisions are open for public comments until 29 July 2022.
Keshawna Campbell Lead Privacy Analyst
Comments provided by:
Dehao Zhang Counsel
Fieldfisher China, Beijing